One document matched: draft-dupont-dnsext-ec-tkey-00.xml

<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc text-list-sybols="o-*+"?>
<rfc category="std" docName="draft-dupont-dnsext-ec-tkey-00" ipr="trust200902"
     updates="2930,2539,2931">
  <front>
    <title abbrev="ECDH TKEY">
      Modern cryptography TKEY
    </title>
    <author fullname="Francis Dupont" initials="F." surname="Dupont">
      <organization>Internet Systems Consortium</organization>
      <address>
        <email>fdupont@isc.org</email>
      </address>
    </author>

    <date day="18" month="February" year="2013" />

    <workgroup>DNS Extensions Working Group</workgroup>

    <keyword>ECDH, TKEY</keyword>

    <abstract>
      <t>This document updates the TKEY resource record specifications
      for the use of Elliptic Curve Diffie-Hellman, and related IANA
      registries.</t>
    </abstract>
  </front>

  <middle>

    <section title="Introduction">
      <t>The TKEY resource record <xref target="RFC2930" /> was designed
      to enable the establishment of a shared secret between DNS client
      and server, using GSS-API or a Diffie-Hellman exchange.</t>

      <t>The purpose of this document is to modernize the cryptography
      used by the Diffie-Hellman variant of TKEY, i.e., to move to
      ECDH (Elliptic Curve Diffie-Hellman). As a side effect,
      registries for the DH KEY <xref target="RFC2539" /> and SIG(0)
      <xref target="RFC2931" /> resource records are updated.</t>

      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
      NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
      "OPTIONAL" in this document are to be interpreted as described
      in <xref target="RFC2119">RFC2119</xref>.</t>
    </section>

    <section title="ECDH groups">
      <t>This document specifies a new "well-known group" with
      a 1536 bit prime for the DH KEY resource record
      <xref target="RFC2539" />, taken from the expired
      revision <xref target="I-D.ietf-dnsext-rfc2539bis-dhk" />,
      in the <xref target="group3" />. (this group is supported
      by some implementations, the idea is to make it official)</t>

      <t>The NIST P-256 and P-384 curve groups are added as groups 13
      and 14. These groups are already used in several IETF RFCs,
      including <xref target="RFC5114" />, or for DNSSEC
      <xref target="RFC6605" />. A public key is the uncompressed form
      of a curve point, so on twice 256 or 384 bits. The shared secret
      is the first coordinate of the Diffie-Hellman common value, so
      on 256 or 384 bits.</t>
    </section>

    <section title="ECDH TKEY">
      <t>The ECDH TKEY reuses the DH TKEY (<xref target="RFC2930">
      RFC2930</xref> section 4.1) specification with some changes.</t>

      <t>The Diffie-Hellman exchange uses the Elliptic Curve P-256
      group, the hash function is SHA-256.</t>

      <t>The "key data" lengths MUST be at least 128 bits / 16 octets,
      and SHOULD be at most 256 bits / 32 octets.</t>

      <t>The "keying material" is derived using the formula
      (taken from <xref target="RFC4306">IKEv2</xref>):
      <figure><artwork>
      keymat = HMAC-SHA-256(query data | server data, ECDH value)
      </artwork></figure></t>
    </section>

    <section title="IANA Considerations">
      <t>The
      "DNS KEY Record Diffie-Hellman Well-Known Prime/Generator Pairs"
      registry is modified by the addition of entries for 3, 13 and 14,
      with "A 1536 bit prime", "EC P-256" and "EC P-384" for descriptions,
      and this document for the reference.</t>

     <t>The "DNS Security Algorithm Numbers" registry is modified by
     adding TKEY in the "transaction security mechanisms" and
     by making ECDSAP256SHA256 and ECDSAP384SHA384 eligible for
     transaction security.</t>

     <t>The "SIG (0) Algorithm Numbers" registry is either updated /
     aligned with the preceding one, or simply suppressed as its
     content was merged into the preceding one.</t>
   </section>

   <section title="Security Considerations">
     <t>The Elliptic Curve cryptography is considered as being as
     safe as the modular prime field one but with faster
     operations and far smaller payloads, so should be
     a vector for better security.</t>

     <t>In the same way, more support and use of TKEY
     should be encouraged. This is why it had to be
     re-based on modern cryptography tools.</t>

     <t>To share a private key for two different usages
     is recognized as a bad practice, so when an ECDH TKEY
     is authenticated by ECDSAP256SHA256, the private
     key SHOULD NOT be shared.</t>
  </section>

  <section title="Acknowledgments">
    <t>Donald E. Eastlake 3rd is the author of the expired
    DH KEY revision <xref target="I-D.ietf-dnsext-rfc2539bis-dhk" />
    where the well-known group 3 was taken.</t>
  </section>
    
  </middle>

  <back>
    <references title="Normative References">
      <?rfc include="reference.RFC.2119"?>
      <?rfc include="reference.RFC.2539"?>
      <?rfc include="reference.RFC.2930"?>
      <?rfc include="reference.RFC.2931"?>
      <?rfc include="reference.RFC.5114"?>
    </references>

    <references title="Informative References">
      <?rfc include="reference.RFC.4306"?>
      <?rfc include="reference.RFC.6605"?>
      <?rfc include="reference.I-D.ietf-dnsext-rfc2539bis-dhk"?>
    </references>

    <section anchor="group3" title="Well-Known Group 3: A 1536 bit prime">
      <t>
      The prime is 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] +  741804 }.
      </t>

      <t>Its decimal value is:
        <figure><artwork><![CDATA[
        241031242692103258855207602219756607485695054850245994265411
        694195810883168261222889009385826134161467322714147790401219
        650364895705058263194273070680500922306273474534107340669624
        601458936165977404102716924945320037872943417032584377865919
        814376319377685986952408894019557734611984354530154704374720
        774996976375008430892633929555996888245787241299381012913029
        459299994792636526405928464720973038494721168143446471443848
        8520940127459844288859336526896320919633919
        ]]></artwork></figure></t>

      <t>Prime modulus Length (32 bit words): 48, Data (hex):
        <figure><artwork><![CDATA[
          FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
          29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
          EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
          E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
          EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
          C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
          83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
          670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF
        ]]></artwork></figure></t>

      <t>Generator: Length (32 bit words):  1, Data (hex): 2</t>
    </section>

   </back>
</rfc>